Part I :

Honeypot technology :

Honeypot technology What is a honeypot?
The information system resource whose value lies in unauthorized or illicit use of that resource
Has no production value, anything going in/out the honeypot is likely a probe/attack/compromise
Primary value to most organizations is information

Sebek client technique :

Part 2 :

Part 2 Current problems of Sebek
Easy to identify
How easy it is?
Possible even with unprileged user
How ?
7 methods to defeat Sebek

Sebek client requirement :

Sebek client requirement Most vital requirement for a data capture tool: Function as covert as possible
Otherwise, game over
No more chance to watch out the attacker
No more chance to catch 0-day bug (you daydream?)
Attacker can corrupt the honeypot
Who fools who then?

But can Sebek deliver? :

But can Sebek deliver? Hmm, not really. Various ways to defeat Sebek
1. Can be discover by even unprivileged user
2. Network statistics disclose Sebek
3. Brute-force scanning method
4. System-call address checking
5. Remove Sebek is feasible
6. Sniff at the right place
7. Bring down the central logging server

Method (1) :

Method (1) Sebek can be discover by even unprivileged user
dd-attack (proposed by Maximilian et al)
Generate lots of data
Check to see if network congestion ? Why?
Network stack is employed to send data out

Scalability :

Xen's future: Bright :

Xen's future: Bright Xen 3.0 was realeased at the end of 2005
Object: to be gradually merged into Linux kernel from first half of 2006
Already adopted by ISPs, datacenters, banks,...
Will be widely used in the near future

Xebek solution for Xen-based honeynet :

Xebek goals and approaches :

Xebek goals and approaches (1) Capture data as Sebek does, but with some improvements
(2) Eliminate problems of leaving too many traces when forwarding data out
(3) Harden the central logging server

Goal (1) :

Goal (1) Capture data as Sebek does, but with some improvements
Sebek3 captures data by intercepting system-calls (read/write/open/fork/socket)
==> so Xebek does.
But Xebek patches the system-calls, so Xebek does not run as a kernel module (1) Uses network stack to send data out
(2) Data can be sniffed
(3) Function as KLM & replace original system-calls
(4) Central logging server exposed to the network
(5) Data transfer might not be reliable (UDP)

Goal (2) :

Goal (2) Eliminate problems of leaving too many traces when forwarding data out
Xebek does not use network stack to deliver data as Sebek does
Using shared memory between DomU and Dom0 instead to exchange data (1) Uses network stack to send data out
(2) Data can be sniffed
(3) Function as KLM & replace original system-calls
(4) Central logging server exposed to the network
(5) Data transfer might not be reliable (UDP)

Goal (3) :

Goal (3) Harden the central logging server
Put the central logging server in Dom0 to pick up data forwarded from DomU
No more exposed to the network (1) Uses network stack to send data out
(2) Data can be sniffed
(3) Function as KLM & replace original system-calls
(4) Central logging server exposed to the network
(5) Data transfer might not be reliable (UDP)